"""
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
-# pylint: disable=too-many-branches,too-many-statements
+# pylint: disable=too-many-branches,too-many-statements,too-many-locals
from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
+ vmap_stack_is_set = KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')
if arch in ('X86_64', 'ARM64', 'ARM'):
- l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
+ l += [vmap_stack_is_set]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
# 'self_protection', 'kspp'
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
+ cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
+ cfi_clang_permissive_not_set = KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set')
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
+ AND(cfi_clang_is_set,
+ cfi_clang_permissive_not_set))]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
+ vmap_stack_is_set)]
kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
l += [kfence_is_set]
l += [AND(KconfigCheck('self_protection', 'my', 'KFENCE_SAMPLE_INTERVAL', 'is not off'),
gcc_plugins_support_is_set)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):
- cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
l += [cfi_clang_is_set]
- l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
+ l += [AND(cfi_clang_permissive_not_set,
cfi_clang_is_set)]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]